On Wed, Nov 3, 2021, 6:33 PM Stefan Claas
   <[1]spam.trap.mailing.lists@gmail.com> wrote:

     On Wed, Nov 3, 2021 at 5:11 PM Karl <[2]gmkarl@gmail.com> wrote:
     >
     > the guy wasn't from [3]openpgp.org, and coderman posted it to this
     list in 2019:
     [4]https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
     >
     > the new keyserver is called hockeypuck I believe.
     Hi Karl,
     Why do you still rely on OpenPGP WoT signatures, when it comes
     to cryptography? If we both or you with others would use an offline
     device for key pair creation (and message generation) and then say
     would use NaClbox or age, for example, you don't have to deal with
     all this key management stuff, which is IMHO really annoying, when
     you have to use PGP on a daily basis, with several communication
     partners.

   Well,
   - the spampost was on os media verification, which is not available via
   age.  this is the biggest reason and should be obvious.  here are other
   scattered reasons:
   - you may not be aware, but WoT is not anything anyone is forcing you
   to do, pgp can operate without it, but it is a feature I would expect a
   good asymmetric cryptography system to support
   - pgp works fine on an offline device as you propose
   - pgp is a well-recognised standard that has undergone extensive review
   and normalisation, and is likely open to processes of further
   improvement
   - I don't know why you would say this strange thing you are saying, but
   I am interesting in learning modern approaches like age
   - go is kind googley to me, I worry its internal architecture may not
   defend interests of other communities, it would be nice if we had
   accessible transpiling to maintain language-agnostic tools soon
   However of course,
   - pgp is old, so people trying to misuse it know it very well.  not
   likely so true of other things.
   - pgp is somewhat cumbersome in many ways needlessly

     The (Open)BSD folks, for example, switched long ago to signify,

   openbsd is incredible but they have indicated trust of infrastructure
   and governments, unsure why

     for package signing and sequoia-pgp (Testimonial by Mr. Zimmermann)
     no longer uses key signing for a WoT.

   haven't looked at sequoia-pgp, haven't always gotten too much into this
   stuff
   do you argue against keysigning because of the dangers produced by
   spreading documentation of personal connections? it seems like an
   important trust mechanism to provide for people who can hold any risk
   of using it.
   obviously without an out of band channel for cryptographic trust you
   have no way of knowing anything on the internet is real

References

   1. mailto:spam.trap.mailing.lists@gmail.com
   2. mailto:gmkarl@gmail.com
   3. http://openpgp.org/
   4. https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f